Exploring the Edge Transport Server Frontier
By Kate Follis
Imagine if you will a future where communication occurs almost instantly, where messages of vital importance are dependably delivered, where forged messages are immediately identified, where the Trojan horse never makes it past the gate. . . Now, embrace that future, because it is possible now. Let me share with you a story of how one intrepid messaging administrator discovered the benefits of deploying a Microsoft Exchange Server 2007 Edge Transport server.
Administrator’s Log, Star date Exchange 2007
Today I deployed a communication solution that finally satisfies the countless requirements of corporate headquarters and helps improve internal system performance. I expect this innovation to cement my promotion to Enterprise Administrator of the whole Northwind Traders forest.
It all began this morning. The call came in before I’d finished my first cup of coffee. Corporate headquarters entrusted me with the negotiation of trade agreements with Wide World Importers. I thought that our current messaging system was good enough, although my Engineering officer has been saying “Admin, I can’t keep up with this spam!” rather frequently lately. After all, we are running Exchange 2007 with all the anti-spam agents enabled and configured on an Internet-facing Hub Transport server. But when I received the directive from corporate, I realized that I would need more features.
“Admin, are you sure that you’re up to this task?” asked the Chief Communications officer for Northwind Traders.
“Of course, sir, we’re running Exchange 2007,” I confidently replied.
“Yes, I’ve heard it’s secure,” he replied. “How’s your messaging hygiene? There’s nothing more annoying than enabling anonymous access to your communications port only to have someone from Tailspin Toys bring in infected attachments.”
“Hmm,” I thought to myself. “I’d better check my configuration.” Aloud, I assured headquarters that my system is state-of-the-art and up to any communications challenge.
“Good to hear. The relationship with Wide World Importers is important. All communication with them must be both authenticated and encrypted. I want the incoming communications copied to the intelligence officer at headquarters before they’ve been processed by any of your internal servers. And make sure that none of those messages is blocked. That would look bad, very bad. One more thing, Admin, I want all communications to appear as if they come directly from Northwind Traders headquarters office. There’s no need to expose the enterprise’s internal organization to Wide World Importers. Do you have all that?”
“Yes sir, we’ll verify our security systems and then begin negotiations. I’ll make sure that I copy you on any transmissions involving Wide World Importers.”
Communicating to the Team
As soon as my conversation with headquarters ended, I contacted my Design and Engineering officers by e-mail. I've copied the complete thread here:
----- Original Message -----
To: Design@enterprise.northwindtraders.com; Engineer@enterprise.northwindtraders.com
From: Administrator@enterprise.northwindtraders.com
Subject: More Corporate Regulations
Corporate headquarters has entrusted the enterprise to begin negotiations with Wide World Importers. However, before we can start transmissions, I must be certain that our messaging system can meet the communication requirements. Here are the newest corporate mandates:
Messages from Wide World Importers must be copied to headquarters before they are processed by internal servers.
All messages sent to Wide World Importers must also be copied to headquarters.
We must disguise our enterprise e-mail address and replace it with a Northwind Traders address.
All messages to or from Wide World Importers must be authenticated and encrypted, and they should never be blocked. Is there some way to verify the messages really are from Wide World Importers before we accept them?
As long as we’re at it, I’m a bit concerned about letting Tailspin Toys enter the communications port with attachments. It seems there’s been a virus-outbreak related to their messages.
----- Reply -----
To: Administrator@enterprise.northwindtraders.com; Engineer@enterprise.northwindtraders.com
From: Design@enterprise.northwindtraders.com
Subject: Re: More Corporate Regulations
Admin, it seems logical to me. We should implement rules that apply on the edge of the network, and address rewriting, Domain Security, and attachment filtering. It would also be better if we could limit anonymous communication port connections to the edge of the network. I suggest we deploy an Edge Transport server.
----- Reply -----
To: Administrator@enterprise.northwindtraders.com; Design@enterprise.northwindtraders.com
From: Engineer@enterprise.northwindtraders.com
Subject: Re: More Corporate Regulations
I concur with the Design officer. Admin, if we can deploy an Edge Transport server, it will be like having an anti-spam force field around the enterprise and a bouncer at Port 25! And because the Edge Transport server uses the same management interfaces as all the other Exchange 2007 server roles, I’ll be able to learn the ropes immediately. Should I get the configuration underway?
----- Reply -----
To: Engineer@enterprise.northwindtraders.com; Design@enterprise.northwindtraders.com
From: Administrator@enterprise.northwindtraders.com
Subject: Re: More Corporate Regulations
Meet me in the conferencing bay in an hour and we’ll discuss.
Designing the Solution
Both the Design and Engineering officers seemed sure that an Edge Transport server would solve all my problems, but I still had questions. Everyone arrived in the conferencing bay right on time with all the information I needed.
The Design officer provided the following matrix of the anti-spam and antivirus features that are available for the Hub Transport and Edge Transport server roles. I discovered that Exchange 2007 agents can implement all the features I want to use.
| Feature | Supported on Edge Transport servers? | Supported on Hub Transport servers? |
|---|---|---|
Attachment filter The Attachment Filter agent lets you block specific attachment types. The attachment can be stripped but delivery of the e-mail message is allowed, or both the attachment and e-mail message can be silently deleted. |
Yes |
No |
Connection filter The Connection Filter agent lets you filter connections based on source IP address or IP address range. Connections from known spam sources can be blocked. |
Yes |
Yes |
Content filter The Content Filter agent evaluates the likelihood of e-mail being spam. With an Exchange Enterprise Client Access License (CAL), you get regular content filter updates. These include updated data about phishing Web sites, Microsoft SmartScreen spam heuristics, and other Intelligent Message Filter updates. |
Yes |
Yes |
Recipient filtering The Recipient Filter agent lets you accept only e-mail that is sent to valid recipients. |
Yes, with an Edge Subscription |
Yes |
Sender filtering The Sender Filter agent lets you block e-mail that is received from specific senders. For example, you can block e-mail from known spam originators. |
Yes |
Yes |
Sender ID The Sender ID agent verifies the originating IP address for a received e-mail message against the registered IP addresses for the source domain. |
Yes |
Yes |
Safelist aggregation This feature collects data from the anti-spam Safe Recipients Lists or Safe Senders Lists and contact data that Outlook users configure and then makes this data available to the anti-spam agents on the computer that has the Edge Transport server role installed. Safelist aggregation can help reduce the instances of false-positives in anti-spam filtering that is performed by the Edge Transport server. When an Exchange administrator enables and correctly configures safelist aggregation, the Content Filter agent passes safe e-mail messages to the enterprise mailbox without additional processing. |
Yes |
Yes |
Address rewriting The Address Rewriting agent lets you mask the identity of an internal domain by rewriting the internal e-mail address to an alternative address. |
Yes |
No |
Transport rules Transport rules let you take an action on sent and received e-mail. Different predicates, actions, and exceptions are available on Edge Transport servers than those available on Hub Transport servers. Edge Transport rules provide additional anti-spam and antivirus functionality. Hub Transport rules enable policy enforcement inside the Exchange 2007 organization. For more information, see Overview of Transport Rules. |
Yes |
Yes |
Domain Security Domain Security lets you identify trusted domains and negotiate security for e-mail communications with those domains. |
Yes, with an Edge Subscription |
No |
The Design officer also provided me with links to more information about each of these features:
“Okay, it looks like I can use an Edge Transport server to implement the features that I need to meet corporate regulations for communications with Wide World Importers. But how will the Engineering officer accomplish the deployment and provide fault tolerance?” I asked.
“I have that all worked out, Admin,” explained the Engineering officer. “I’ll deploy two Edge Transport servers in the perimeter network. I’ll configure DNS to use a round-robin mechanism to load-balance the inbound connections. That will mean manually creating certificates with the FQDN of both servers to provide domain security, but I have the procedures linked right here: Creating a Certificate or Certificate Request for TLS.”
“Hmm. How will you keep the configuration consistent between the servers? And what about load-balancing and fault tolerance for the outbound connections?” I asked.
“I’ll use cloned configuration to make sure that the servers have a consistent configuration. Then I’ll create an Edge Subscription for both servers. This will let us use all the Edge Transport server's features, including safelist aggregation. That will keep Wide World Importers messages from ever being blocked. The Edge Subscription will also create all the Send connectors we need. Both Edge Transport servers will be listed as source servers for the outbound Send connector, so we’ll get load-balancing and fault tolerance for outbound connections, too.” It sounded as if the Engineering officer had been considering this solution for a while. I found more information about cloned configuration here: Using Edge Transport Server Cloned Configuration.
“I’m still somewhat concerned about how this affects security. I’ll have to justify the expense of the additional hardware,” I said to temper the Engineering officer's enthusiasm.
“Well, Admin," the Engineering officer responded, "By deploying an Edge Transport server, we’ll be able to turn off the anonymous access we enabled on the Receive connector on the Hub Transport server. We’ll have better protection of our internal resources, such as the Active Directory directory service. Spam and viruses will be blocked at the earliest possible point. We’ll have better defenses against external threats, directory harvest attacks, and denial of service attacks at the SMTP layer. By moving anti-spam functionality out to the edge, we’ll also reduce the processing overhead on the internal messaging servers. To make sure that we have a defense-in-depth strategy, I'll continue to perform internal antivirus scanning on the Hub Transport servers. I was planning to add a Hub Transport server to help with the anti-spam load anyway, so the hardware is already available.”
“Wait a minute. How does the Edge Transport server protect Active Directory? How can it perform recipient lookup if it’s not looking them up in Active Directory?” I asked.
“Oh, the Edge Subscription handles that," explained the Engineering officer. "I’ll deploy the Edge Transport servers in a workgroup, and then the Microsoft Exchange EdgeSync service will replicate the recipients to the Edge Transport server as encrypted objects. The Edge Transport server will store the data in the Active Directory Application Mode (ADAM) directory service. Look, I have a link to a resource to help you understand this technology right here: Understanding Edge Subscriptions.”
The Design officer supported the Engineering officer’s statements. “Admin,” the Design officer said. “I concur with the Engineering officer’s plans. It’s the most logical recourse for providing the functionality that headquarters requires.”
“Very well,” I concluded. “Let’s deploy.”
Implementing the Solution
The Engineering officer had the hardware up and running in short order, and we were ready to begin configuration of the Edge Transport server role to meet the requirements of corporate headquarters.
The first task was to implement address rewriting to disguise the identity of the enterprise subdomain. We followed the procedures in this topic, How to Rewrite All E-Mail Messages from Sub-Domains. I was really impressed by how easy it is to use the Exchange Management Shell. Now all e-mail that is sent from our enterprise.NorthwindTraders.com appears to come directly from NorthwindTraders.com.
Configuring Domain Security looked like it might be tricky. But the topic, How to Configure Mutual TLS for Domain Security, helped us through the process. We added the WideWorldImporters domain to the TLSReceiveDomainSecureList and the TLSSendDomainSecureList attributes by using the Set-TransportConfig cmdlet on a Hub Transport server. And the Microsoft Exchange EdgeSync service took care of replicating that information to the new Edge Transport server.
To make sure that e-mail from Wide World Importers is never blocked, I added the WideWorldImporters domain to my Safe Senders list in Outlook. We used the Update-Safelist cmdlet to update the safelist information for Outlook users and then verified that the Microsoft Exchange EdgeSync service was replicating this data and that content filtering was enabled on the Edge Transport server. To make sure we hadn't missed anything, we followed the steps in How to Configure Safelist Aggregation.
Because corporate headquarters insists that all mail to and from Wide World Importers is copied to their intelligence officer, we created two transport rules on the Edge Transport server to achieve just this. By following the directions in How to Create a New Transport Rule, we configured one rule that looks for the word "WideWorldImporters" in the recipient address on messages sent from inside the organization and then sends a copy of the message to the intelligence officer. We then created a second rule that looks for the word "WideWorldImporters" in the sender address on messages sent from outside the organization and then sends a copy to the intelligence officer.
The Engineering officer is developing a list of attachment names and extensions that should be blocked from entering our enterprise. He's following the procedures in How to Configure Attachment Filtering. I'm definitely relieved to know that I can stop worrying about Tailspin Toys sending us viral attachments.
Epilogue
Keeping our enterprise running smoothly is always challenging, but today I was able to implement a messaging solution worthy of the next generation. The negotiations with Wide World Importers are going well, and headquarters has confidence and trust in the messages and is pleased with the documentation trail I have provided.
Note
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.
For More Information
Write your own stories of success when you discover the benefits of deploying an Edge Transport server. For more information, see the following resources:
.jpg "Kate Follis")
Kate Follis - Senior Technical Writer, Microsoft Exchange Server